Google analytics, Guarantor of privacy: the transfer of data from Europe to the United States is illegitimate

Once again, il data transfer outside the European Union to the United States, by Google analytics, has been declared illegitimate by a personal data protection authority. This was established by the Italian Privacy Guarantor, following two similar decisions issued by its Austrian and French counterparts.

According to Ensuresthe service of Google analytics violates the provisions contained in the European General Data Protection Regulation (Gdpr), which explicitly prohibits the transfer of European user data to countries lacking adequate levels of protection, like the United States. The ruling came as a result of what has been defined by the authority as one “Complex investigation”launched on the basis of numerous complaints and in coordination with other European privacy authorities.

According to the European data protection supervisor Wojciech Wiewiórowski it is necessary to intervene on the data protection regulation to make it more effective and solve the distortions of its applications

From the survey, it emerged that the managers of websites that use Google analytics collect, through cookies, various information that directly concern the users of the sites in question. Among the data collected are theIP address of devices, information about the search engine and system operational used, to resolution of the screen, to the lingua selected, as well as date and time of the visit.

All this information, once stored, comes transferred to the United States where users are not entitled to the protections on the use of their data guaranteed by the GDPR. This, despite the Regulation places an explicit prohibition on the transfer of data to countries that do not guarantee levels of protection equal to those in Europe. In declaring the violation of data processing, the Guarantor underlined how theIP address constitutes personal dataeven if truncated, taking into account Google’s ability to enrich it with other data it possesses.

Furthermore, in its statements, the authority recalled how the US government agencies and intelligence agencies can access all data moved to the United States, without any guarantee, underlining how a treatment of this type violates the right to privacy and confidentiality of European users.

In the context of the investigation, the Guarantor then adopted the first of a series of measures with which cautioned Caffeine Media, a company that deals with the management of web, social and mobile projects, ordering the company to comply with the GDPR within three months, under penalty of the suspension of all data flows collected through Google analytics to the United States. The authority then recalled all Italian website operators to verify the compliance of the methods of use of cookies and other tracking tools used on its sites, with particular attention to Google analytics and other similar services. There are 90 days. Then you risk penalties.

Categories:   Internet